Got a Windows 2000 Server with Windows 2000 clients (no AD). Here's what I
did and I would love other sysadmin opinions:
1) For home shares, I wanted each user to map directly to their folder. I
created the Users$ folder for organization and administration.
\\servername\Users$\username$\
Users$
Share=Admin (Full)
File Security=Everyone (Full)
Username$ (Changes with each user)
Share=User (Change)
File Security=Everyone (Full)
2) For folders shared by groups of users, I wanted them to be able to see
all the folder names but only have access to the ones they should have.
\\servername\Groups$\subfolder
Groups$
Share=Admin (Full)
Everyone (Change)
File Security=Everyone (Read, List Folder Contents)
Admin (Full)
subfolders
File Security=Specific Global Group (Modify)
Admin (Full)
3) Now the trickiest one: For shared application files, I wanted to be able
to map each user to a specific hidden share, but I did not want them to be
able to browse by double-clicking the mapped drive. The applications they
ran needed to be able to modify the data on the server, but I did not want
them to be able to easily delete the data through newbie behavior. Each of
the application shortcuts on their PC would access the files in the
subfolders *beyond* the share.
\\servername\Apps$\application
Apps$
Share=Admin (Full)
Everyone (Change)
File Security=Admin (Full)
Everyone (Traverse Folder) <--- Here's the important
part
application
File Security=Admin (Full)
Specific Global Group (Change)
Now, the hickie we came across is that the apps on the server like SQL and
Norton Antivirus could no longer access the folders in which we had removed
the Everyone rights. Adding SYSTEM and SERVICE accounts seemed to have fixed
that.
Now, I know I can do this much easier by mapping many drives, but I want to
keep things organized and simple for the users. Anyone know of a better way?
Charles R. Dewar
Systems Administrator
North Hills Hospital
Phone: 817.255.1777
Toll-free Fax: 866.947.3756
http://www.sunbelt-software.com/ntsysadmin_list_charter.htm
